GNU bug report logs - #52562
[PATCH] gnu: xorg-server: Update to 21.1.2.

Previous Next

Package: guix-patches;

Reported by: Kaelyn Takata <kaelyn.alexi <at> protonmail.com>

Date: Thu, 16 Dec 2021 23:31:01 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 52562 in the body.
You can then email your comments to 52562 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Thu, 16 Dec 2021 23:31:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kaelyn Takata <kaelyn.alexi <at> protonmail.com>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Thu, 16 Dec 2021 23:31:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Kaelyn Takata <kaelyn.alexi <at> protonmail.com>
To: guix-patches <at> gnu.org
Cc: Kaelyn Takata <kaelyn.alexi <at> protonmail.com>
Subject: [PATCH] gnu: xorg-server: Update to 21.1.2.
Date: Thu, 16 Dec 2021 23:29:50 +0000
* gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
---
 gnu/packages/xorg.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 85a93dee30..204fd857c0 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5234,7 +5234,7 @@ (define-public libxcvt
 (define-public xorg-server
   (package
     (name "xorg-server")
-    (version "21.1.1")
+    (version "21.1.2")
     (source
      (origin
        (method url-fetch)
@@ -5243,7 +5243,7 @@ (define-public xorg-server
                            "/xserver/xorg-server-" version ".tar.xz"))
        (sha256
         (base32
-         "0md7dqsc5qb30gym06c4zc2cjsdc5ps8nywk1bkcpix05kppybkq"))
+         "1c4dgvpv3kib8rhw37b00vc056nlb1z66c2lwzs4prz8kxmg82y2"))
        (patches
         (list
          ;; See:

base-commit: b329c2139b9f0818f27107bec5226cb98cfe1446
-- 
2.34.0






Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Sat, 18 Dec 2021 15:25:02 GMT) Full text and rfc822 format available.

Message #8 received at 52562 <at> debbugs.gnu.org (full text, mbox):

From: Kaelyn <kaelyn.alexi <at> protonmail.com>
To: "52562 <at> debbugs.gnu.org" <52562 <at> debbugs.gnu.org>
Subject: [PATCH] gnu: xorg-server: Update to 21.1.2.
Date: Sat, 18 Dec 2021 15:23:51 +0000
Hi,

I would like to propose this update for the 1.4.0 branch as well, as xorg-server 21.1.2 fixes four recently reported security vulnerabilities that can lead to priviledge escalation: https://lists.x.org/archives/xorg/2021-December/060842.html

Cheers,
Kaelyn




Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Sat, 18 Dec 2021 20:41:01 GMT) Full text and rfc822 format available.

Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Kaelyn Takata via Guix-patches via <guix-patches <at> gnu.org>
Cc: Kaelyn Takata <kaelyn.alexi <at> protonmail.com>, 52562 <at> debbugs.gnu.org
Subject: Re: [bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.
Date: Sat, 18 Dec 2021 15:40:01 -0500
On Thu, Dec 16, 2021 at 11:29:50PM +0000, Kaelyn Takata via Guix-patches via wrote:
> * gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.

Thanks! I am reviewing this patch now. It's not quite as simple as it
seems because we must take care to avoid changing xorg-server-for-tests,
or almost every package will have to be rebuilt.

See section 8 here for more information about how many package rebuilds are okay
for the master branch:

https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html#Submitting-Patches




Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Sat, 18 Dec 2021 20:41:02 GMT) Full text and rfc822 format available.

Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Sun, 19 Dec 2021 01:50:01 GMT) Full text and rfc822 format available.

Message #17 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Kaelyn <kaelyn.alexi <at> protonmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 52562 <at> debbugs.gnu.org,
 Kaelyn Takata via Guix-patches via <guix-patches <at> gnu.org>
Subject: Re: [bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.
Date: Sun, 19 Dec 2021 01:49:08 +0000
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Saturday, December 18th, 2021 at 12:40 PM, Leo Famulari <leo <at> famulari.name> wrote:

> On Thu, Dec 16, 2021 at 11:29:50PM +0000, Kaelyn Takata via Guix-patches via wrote:
>
> > -   gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
>
> Thanks! I am reviewing this patch now. It's not quite as simple as it
>
> seems because we must take care to avoid changing xorg-server-for-tests,
>
> or almost every package will have to be rebuilt.
>
> See section 8 here for more information about how many package rebuilds are okay
>
> for the master branch:
>
> https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html#Submitting-Patches

No worries, and take your time! I just wanted to ping the patch so that the security fixes could land before the 1.4 release. :)

When I first sent it, on my machine "guix refresh --list-dependent xorg-serv" said it was 80-something packages that would be rebuilt (just checked again after typing that, and it says 82 packages would be built to ensure 137 dependet packages are rebuilt).

Thanks,
Kaelyn




Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Sun, 19 Dec 2021 01:50:02 GMT) Full text and rfc822 format available.

Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Sun, 19 Dec 2021 04:58:01 GMT) Full text and rfc822 format available.

Message #23 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Kaelyn <kaelyn.alexi <at> protonmail.com>
Cc: 52562 <at> debbugs.gnu.org,
 Kaelyn Takata via Guix-patches via <guix-patches <at> gnu.org>
Subject: Re: [bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.
Date: Sat, 18 Dec 2021 23:56:53 -0500
On Sun, Dec 19, 2021 at 01:49:08AM +0000, Kaelyn wrote:
> No worries, and take your time! I just wanted to ping the patch so that the security fixes could land before the 1.4 release. :)

Sure, I intend to land the patch in the next day or so.

> When I first sent it, on my machine "guix refresh --list-dependent xorg-serv" said it was 80-something packages that would be rebuilt (just checked again after typing that, and it says 82 packages would be built to ensure 137 dependet packages are rebuilt).

Right, that's correct. But there is a also a package
'xorg-server-for-tests', which is used basically for package test
suites. The idea is that it's never used "for real" and so security
issues matter less. And we update that package less often.

You can check on that package like this:

                                Scheme syntax for working with "hidden" packages
-----                           ▼
$ guix refresh -l --expression='(@@ (gnu packages xorg) xorg-server-for-tests)'
Building the following 1419 packages would ensure 3063 dependent packages are rebuilt:
[...]
------




Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Sun, 19 Dec 2021 04:58:02 GMT) Full text and rfc822 format available.

Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Sun, 19 Dec 2021 20:32:02 GMT) Full text and rfc822 format available.

Message #29 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Kaelyn <kaelyn.alexi <at> protonmail.com>
Cc: 52562 <at> debbugs.gnu.org,
 Kaelyn Takata via Guix-patches via <guix-patches <at> gnu.org>
Subject: Re: [bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.
Date: Sun, 19 Dec 2021 15:30:59 -0500
[Message part 1 (text/plain, inline)]
On Sat, Dec 18, 2021 at 11:56:53PM -0500, Leo Famulari wrote:
> Sure, I intend to land the patch in the next day or so.

Alright, with the attached patch, X works in my tests, and
xorg-server-for-tests is unchanged.

It would be great to get some more testing from other X users.

I tested with QEMU, using our VM image template:

`guix environment guix -- ./pre-inst-env guix system vm-image --image-size=20G -t qcow2 gnu/system/examples/vm-image.tmpl`

I can't test on bare metal due to <https://issues.guix.gnu.org/52051>.
[0001-gnu-xorg-server-Update-to-21.1.2.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Sun, 19 Dec 2021 20:32:02 GMT) Full text and rfc822 format available.

Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Tue, 21 Dec 2021 17:37:01 GMT) Full text and rfc822 format available.

Message #35 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Kaelyn <kaelyn.alexi <at> protonmail.com>
Cc: 52562 <at> debbugs.gnu.org,
 Kaelyn Takata via Guix-patches via <guix-patches <at> gnu.org>
Subject: Re: [bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.
Date: Tue, 21 Dec 2021 12:36:39 -0500
[Message part 1 (text/plain, inline)]
On Sun, Dec 19, 2021 at 03:30:59PM -0500, Leo Famulari wrote:
> It would be great to get some more testing from other X users.

In case anybody is wondering about the security issues, the commit
message has been amended like this in my tree:

------
gnu: xorg-server: Update to 21.1.2 [fixes CVE-2021-{4008,4009,4010,4011}].

* gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
(xorg-server-for-tests): Use version 21.1.1.
------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Tue, 21 Dec 2021 17:37:02 GMT) Full text and rfc822 format available.

Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Tue, 21 Dec 2021 17:48:01 GMT) Full text and rfc822 format available.

Message #41 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Kaelyn <kaelyn.alexi <at> protonmail.com>
Cc: 52562 <at> debbugs.gnu.org,
 Kaelyn Takata via Guix-patches via <guix-patches <at> gnu.org>
Subject: Re: [bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.
Date: Tue, 21 Dec 2021 12:47:38 -0500
[Message part 1 (text/plain, inline)]
On Tue, Dec 21, 2021 at 12:36:39PM -0500, Leo Famulari wrote:
> On Sun, Dec 19, 2021 at 03:30:59PM -0500, Leo Famulari wrote:
> > It would be great to get some more testing from other X users.
> 
> In case anybody is wondering about the security issues, the commit
> message has been amended like this in my tree:

And, we may have a solution for the login timeout that has been
preventing testing for many of us. A patch for #52051 has been proposed:

https://issues.guix.gnu.org/issue/52051#29
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Tue, 21 Dec 2021 17:48:02 GMT) Full text and rfc822 format available.

Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Tue, 21 Dec 2021 19:10:01 GMT) Full text and rfc822 format available.

Message #47 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Kaelyn <kaelyn.alexi <at> protonmail.com>
Cc: 52562 <at> debbugs.gnu.org,
 Kaelyn Takata via Guix-patches via <guix-patches <at> gnu.org>
Subject: Re: [bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.
Date: Tue, 21 Dec 2021 14:09:03 -0500
[Message part 1 (text/plain, inline)]
On Tue, Dec 21, 2021 at 12:47:38PM -0500, Leo Famulari wrote:
> On Tue, Dec 21, 2021 at 12:36:39PM -0500, Leo Famulari wrote:
> > On Sun, Dec 19, 2021 at 03:30:59PM -0500, Leo Famulari wrote:
> > > It would be great to get some more testing from other X users.
> > 
> > In case anybody is wondering about the security issues, the commit
> > message has been amended like this in my tree:
> 
> And, we may have a solution for the login timeout that has been
> preventing testing for many of us. A patch for #52051 has been proposed:
> 
> https://issues.guix.gnu.org/issue/52051#29

Alright, with the fix for #52051, I successfully used xorg-server 21.1.2
on my laptop.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Tue, 21 Dec 2021 19:10:02 GMT) Full text and rfc822 format available.

Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Wed, 22 Dec 2021 13:57:02 GMT) Full text and rfc822 format available.

Message #53 received at 52562 <at> debbugs.gnu.org (full text, mbox):

From: Josselin Poiret <dev <at> jpoiret.xyz>
To: Leo Famulari <leo <at> famulari.name>, Kaelyn <kaelyn.alexi <at> protonmail.com>
Cc: 52562 <at> debbugs.gnu.org
Subject: Re: [bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.
Date: Wed, 22 Dec 2021 14:56:19 +0100
Hello,

Leo Famulari <leo <at> famulari.name> writes:
> In case anybody is wondering about the security issues, the commit
> message has been amended like this in my tree:
>
> ------
> gnu: xorg-server: Update to 21.1.2 [fixes CVE-2021-{4008,4009,4010,4011}].
>
> * gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
> (xorg-server-for-tests): Use version 21.1.1.
> ------

Just pitching in to say that those CVE numbers should be fully typed
instead of using shell expansion-style, so that one can run `git log
--grep=CVE-2021-4008`.  Note that these can be in the commit message
body.

-- 
Josselin Poiret




Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Wed, 22 Dec 2021 17:20:01 GMT) Full text and rfc822 format available.

Message #56 received at 52562 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Josselin Poiret <dev <at> jpoiret.xyz>
Cc: Kaelyn <kaelyn.alexi <at> protonmail.com>, 52562 <at> debbugs.gnu.org
Subject: Re: [bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.
Date: Wed, 22 Dec 2021 12:19:37 -0500
On Wed, Dec 22, 2021 at 02:56:19PM +0100, Josselin Poiret wrote:
> Just pitching in to say that those CVE numbers should be fully typed
> instead of using shell expansion-style, so that one can run `git log
> --grep=CVE-2021-4008`.  Note that these can be in the commit message
> body.

Okay. Can you help test the patch itself?




Information forwarded to guix-patches <at> gnu.org:
bug#52562; Package guix-patches. (Wed, 22 Dec 2021 23:40:02 GMT) Full text and rfc822 format available.

Message #59 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Kaelyn <kaelyn.alexi <at> protonmail.com>
Cc: Kaelyn Takata via Guix-patches via <guix-patches <at> gnu.org>,
 52562-done <at> debbugs.gnu.org
Subject: Re: [bug#52562] [PATCH] gnu: xorg-server: Update to 21.1.2.
Date: Wed, 22 Dec 2021 18:38:53 -0500
[Message part 1 (text/plain, inline)]
On Tue, Dec 21, 2021 at 12:36:39PM -0500, Leo Famulari wrote:
> ------
> gnu: xorg-server: Update to 21.1.2 [fixes CVE-2021-{4008,4009,4010,4011}].
> 
> * gnu/packages/xorg.scm (xorg-server): Update to 21.1.2.
> (xorg-server-for-tests): Use version 21.1.1.
> ------

Pushed as 0751451ae3a77977916b67577837349219d482ec
[signature.asc (application/pgp-signature, inline)]

Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Wed, 22 Dec 2021 23:40:02 GMT) Full text and rfc822 format available.

Notification sent to Kaelyn Takata <kaelyn.alexi <at> protonmail.com>:
bug acknowledged by developer. (Wed, 22 Dec 2021 23:40:02 GMT) Full text and rfc822 format available.

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 20 Jan 2022 12:24:13 GMT) Full text and rfc822 format available.

This bug report was last modified 2 years and 68 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.